\documentclass{beamer}

\mode<presentation> {
\usetheme{Berlin}
\useoutertheme{infolines}
%\setbeamertemplate{footline}
\setbeamertemplate{footline}{
    \hspace{.3cm}
    \vspace{4pt}
    %\includegraphics[scale=0.15]{nlnetlabslogo.jpg}
    \hspace{4.5cm}
    %\vspace{10pt}
    \scriptsize{\insertframenumber}
    \hfill
    %\includegraphics[scale=0.05]{uva-logo.png}
    \hspace{.3cm}
    %\vspace{-15pt}
}
\setbeamertemplate{navigation symbols}
}
%\usecolortheme{structure}


\usepackage{graphicx} % Allows including images
\usepackage{booktabs} % Allows the use of \toprule, \midrule and \bottomrule in tables

%---------TITLE PAGE---------%
\title{Honeynet as a service}
\author{Hanieh Bagheri, Todor Yakimov}
\institute[UvA]{}
\date{\today}
\begin{document}
\begin{frame}
\titlepage
\end{frame}



%--------------------------------


\begin{frame}

\frametitle{Introduction}
\begin{center}
\begin{itemize}
\item Honeynet:\\
    - A security resource for being probed, attacked or compromised\\
    - A trap for deceiving the attackers to exploit a controlled environment\\
    - Gathering, analysis and detection of malicious activities
\item Different types:\\
\end{itemize}
\vspace{15pt}

\end{center}
\end{frame}

%--------------------------------

\begin{frame}

\frametitle{Trends in using virtualization in honeynets}
\begin{center}
\begin{itemize}
\item Original honeynets:\\
    - Inside DMZ of the network\\
    - honeypots are running on physical machines\\
    - hard and costly to deploy and maintain\\
\item Virtual honeynets:\\
    - honeypots can be running on VMs running on top of real hardware\\
    - Clouds are also a good option\\
    - less costly to deploy and maintain\\
    - more secure
\item honeynet as a service?\\
    - Not implemented yet!
\end{itemize}
\vspace{15pt}

\end{center}
\end{frame}

%-------------------------------

\begin{frame}

\frametitle{Research question}
\begin{center}
\emph{What is an appropriate architecture \\ to be able to offer a honeynet as a service?}
\vspace{15pt}

\end{center}
\end{frame}

%--------------------------------

\begin{frame}

\frametitle{The proposed architecture}
\begin{center}
\includegraphics[scale=0.35]{model.png}
\end{center}
\end{frame}

%-------------------------------------
\begin{frame}

\frametitle{Front-End component}
\begin{center}
\begin{itemize}
\item The start point, where the customers can request for the service
\item A simple interface, such as a web application
\item Needed info from customers:\\
    - assigned internal IPs to the honeynet\\
    - the open ports on each IP\\
    - the vulnerable OSes or applications to be performed on honeypots\\
\item After reception of the request from the customer:\\
    - Initiate a monitor script\\
    - Initiate the required VM instances\\
    - Sends the results back to the customer
\end{itemize}    

\end{center}
\end{frame}

%-------------------------------------
\begin{frame}

\frametitle{Traffic forwarding component}
\begin{center}
\begin{itemize}
\item Forwards the traffic destined to honeynet IPs to the monitor
\item keep the IPs of the attacker and the honeynet unchanged
\item possible approaches:\\
    - iptables rules\\
    - switch configuration\\
    - VPN
\end{itemize}    

\end{center}
\end{frame}
%--------------------------------

\begin{frame}

\frametitle{The honeypot instances}
\begin{center}
\begin{itemize}
\item Virtual machines running vulnerable applications and OSes
\item A different or an unpatched version of the production services
\item Possible approaches:\\
    - Using Amazon EC2 instances:\\
        - Available AMIs\\
        - Receive an image from the customer\\
    -Clouds from other providers
\end{itemize}    

\end{center}
\end{frame}

%--------------------------------

\begin{frame}

\frametitle{The monitor}
\begin{center}
\begin{itemize}
\item Controlls the all the exchanged traffic
\item Receives connections from the attacker and sends the traffic to a port towards the right instance
\item Detects malicious activities via monitoring the VMs that try to download a shellcode
   - Easy
   - Ability to detect new attacks
\item sends the detection results and logs to the front-end 
\end{itemize}    

\end{center}
\end{frame}

%----------------------------------

\begin{frame}
	\frametitle{Implementation}
	A minimal implementation with the purpose of evaluating:
	\begin{itemize}
	 	\item Appropriate networking models
	 	\item The control and configuration of EC2-based VMs
	 	\item Implementation-specific features
	\end{itemize}
	\\ \vspace{3 mm}
	What was not evaluated:
	\begin{itemize}
		\item Front-end
		\item Patterns for recognizing attacks on monitor nodes
	\end{itemize}
\vspace{10 mm}


\end{frame}

\begin{frame}
	\frametitle{Technology overview}
	\begin{enumerate}[I]
	\item Network communication - only firewall-based (Linux iptables)
	\item Virtual instances control and configuration - Amazon's Python SDK
	\item Scrips parameter passing - Python Pyro Remote Method Invocations
	\begin{itemize}
		\item Initial pass of client IPs from their network
		\item Further passes of new IPs from client's network (honeypot camouflaging)
	\end{itemize}
	\end{enumerate}
\end{frame}

\begin{frame}
	\frametitle{Networking}
	\emph{Prerequisities:}\\ \vspace{1 mm}
	I.Packets reaching monitor nodes need to have as source and destination:
	\begin{itemize}
		\item The IP address of the attacker, and
		\item The honeypot IP address from the client's network
	\end{itemize}

	\\ \vspace{5 mm}
	II. Client's resources should not be burdened with:
	\begin{itemize}
		\item Connection tracking performed by ipables
		\item Return traffic
	\end{itemize}
\end{frame}


\begin{frame}
	\frametitle{Networking}
	\underline{Possible options for the client}
	\begin{itemize}
		\item Traffic redirection (PAT and/or DNAT) - no
		\item Traffic reflection - yes, but troublesome to achieve in a WAN environment
		\item Routing - yes, however via the INPUT chain's raw table (prerouting)
		\item Traffic cloning based on iptables and its xtables addon - yes
	\end{itemize}
	\\ \vspace{2 mm}
	\underline{The monitors}
	\\
	\begin{itemize}
		\item Traffic cloning, in conjunction with
		\item Python netfilter-queue
	\end{itemize}
	\\ \vspace{2 mm}
	\underline{The honeypots}
	\begin{itemize}
		\item DNAT
	\end{itemize}		
\end{frame}

\begin{frame}
	\frametitle{VM control and cofiguration}
	Implemented using Amazon's Python SDK dubbedd "boto".
	\begin{itemize}
		\item Starting/terminating instances
		\item AMI selection
		\item Reservation and (re)assignment of Elastic IPs and VPCs
	\end{itemize}
	\\ \vspace{2 mm}
	For testing the code, the following was defined:
	\begin{itemize}
		\item A single AMI for representing monitor stations
		\item A predefined set of AMIs running vulnerable releases of software such as Apache, FTP, SMTP
	\end{itemize}
\end{frame}

\begin{frame}
	\frametitle{VM control and cofiguration}
	Script parameter passing on monitor nodes:
	\begin{itemize}
		\item EBS-backed block device that holds the script of each monitor
		\item Calls performed by the application code that resides on the monitor itself after instance startup
	\end{itemize}
	\\ \vspace{2 mm}
	At the end, Python Pyro chosen.
\end{frame}	

\begin{frame}
	\frametitle{Further work}
	\begin{itemize}
		\item Inspection of honeypot inbound traffic on monitor nodes
		\item Inspecion of  outboud honeypot connections no monitor nodes 
		\item Monitor consolidation
	\end{itemize}
\end{frame}

\begin{frame}
	\frametitle{Conclusion}
It is possible to provide Honeynet As A Service solution that is:
	\begin{itemize}
		\item Secure
		\item Scalable
		\item Capable of attack detection and prevention
	\end{itemize}
\end{frame}

\end{frame}
\begin{frame}
	\frametitle{Questions}
\end{frame}
\end{document}














